Symmetric-key algorithms in HTTPS

Now, let's return to the world of web applications and HTTP. In general, web applications are just different pieces of software that communicate using the HTTP protocol. As mentioned earlier in the chapter, to secure HTTP and transform it to HTTPS, we will combine it with another protocol called TLS. The TLS protocol makes use of symmetric-key algorithms to encrypt HTTP data between a client and a server. In other words, the web client and the web server start their communication by agreeing on a shared encryption key (some call it a shared secret), which is then used to protect the data going back and forth between them.

The sender application uses the key to encrypt the data before sending it to the recipient application, which in turn utilizes a copy of the same key to decrypt this data. This process is the symmetric-key algorithm part of the TLS protocol.

Symmetric-key algorithms in HTTPS

This sounds all good and well, but how exactly would a web client and web server securely agree on the same encryption key before starting to use it to send encrypted data? Obviously, the web client can't just send the key in plain text to the web server and not expect the key to being captured by an unauthorized third party that can then simply decrypt any secure communication via the stolen key. The answer to that question as we mentioned earlier is that the TLS protocol relies on not one, but two types of cryptography algorithms to secure HTTP. The symmetric-key algorithms, which we have covered so far, are utilized to secure most of the communication; however, the public-key algorithms are used for the initial handshake. This is where the client and the server say hi and identify each other, then agree on an encryption key to use thereafter.